The US Supreme Court agreed on Tuesday to consider Herring v. US, a
challenge to an arrest based on inaccurate information in a government
database. The Court will decide whether to suppress the evidence
obtained.

An earlier case is important. The 1995 case Arizona v. Evans involved
evidence seized incident to an illegal arrest; in this case
a court
clerk had made the error leading to the arrest. The Supreme Court did
not suppress the evidence, but did state there might
be a different
conclusion if the error was made by law enforcement personnel.

In Herring v. US, a man was searched, evidence was gathered against him,
and he was arrested based on incorrect information in a government
database given to the arresting officers by another county's sheriff's
department clerk. Because the database had not been updated,
the police
relied on an arrest warrant that had been rescinded five months before
the search. Herring petitioned the district court
to suppress the
evidence gathered incident to his unlawful arrest, claiming the
"exclusionary rule" prevented the use of such evidence.

The district court ruled against Herring and cited to Justice Sandra Day
O'Connor's concurrence in Arizona v. Evans. According to
the district
court, Justice O'Connor "notes that the invocation of the good-faith
exception to the exclusionary rule should depend
on the reasonableness
of the police officers' reliance on the recordkeeping system itself.
Thus the good-faith exception should not
apply where there is 'no
mechanism to ensure [the recordkeeping's] system accuracy over time" and
where the system "routinely leads
to false arrests.'" The district court
found that the good-faith exception applied in Herring's case, noting
"the mistake was discovered
and corrected within ten to 15 minutes. In
addition, there is no credible evidence of routine problems with
disposing of reliable
warrants." The Eleventh Circuit Court of Appeals
later affirmed the district court's ruling.

In the Arizona v. Evans concurrence, Justice O'Connor also wrote, "In
recent years, we have witnessed the advent of powerful, computer-based
recordkeeping systems that facilitate arrests in ways that have never
before been possible. The police, of course, are entitled to
enjoy the
substantial advantages this technology confers. They may not, however,
rely on it blindly. With the benefits of more efficient
law enforcement
mechanisms comes the burden of corresponding constitutional
responsibilities."

EPIC has highlighted problems with inaccurate government databases in
formal comments to federal agencies and a 2003 online campaign
urging
the reestablishment of accuracy requirements for the FBI's National
Crime Information Center (NCIC) database, the nation's
largest criminal
justice database. In 2003, the Justice Department administratively
discharged the FBI of its statutory duty to ensure
the accuracy and
completeness of the over 39 million criminal records maintained in the
NCIC. The Privacy Act of 1974 requires the
FBI to make reasonable
efforts to ensure the accuracy and completeness of the records in the
NCIC system. EPIC and 85 other organizations
campaigned against this
change, stating that, "This action poses significant risks to privacy
and effective law enforcement. The
NCIC system provides over 80,000 law
enforcement agencies with access to data on wanted persons, missing
persons, gang members, as
well as information about stolen cars, boats,
and other information."

The House of Representatives recessed last week without voting on a
Senate bill extending the President's expanded warrantless surveillance
powers and granting immunity to telecommunications companies that
participated in the Presidents warrantless surveillance program.
This
caused the expanded surveillance powers provided in last summer's
Protect America Act (PAA) to expire this weekend. Earlier,
the House
attempted to provide a short extension to the PAA, but administration
supporters caused that extension to fail. The President
had threatened
to veto any law which did not include immunity for the
telecommunications companies. Last fall, the House passed
the RESTORE
Act, which provided these expanded powers, included oversight, and did
not include immunity. The Senate did not consider
the RESTORE Act.

The Senate bill, S. 2248, had only a few days earlier cleared the Senate
after a long fight on whether to include immunity. The House
was asked
by the administration to hurriedly accept the Senate bill, which
differed significantly from the RESTORE Act. The RESTORE
Act provides
more avenues for Foreign Intelligence Surveillance Act (FISA) court
review. The FISA court would review the procedures
used to target people
abroad. Further it narrows the scope of new surveillance authorities to
include only terrorism and national
security, and not broader foreign
intelligence information. The RESTORE Act increases the size of the FISA
court from 11 to 15 judges;
allows the court to sit together in an
en-banc review of individual judges; and authorizes more expenditures on
administration staff
to handle surveillance applications. Intelligence
officials must report their surveillance orders to Congress, as well as
perform
regular audits every three months. Congress also requests an
audit of all warrantless surveillance programs. The new provisions of
the RESTORE Act would be set to expire in December of 2009.

Last summer's PAA removed some surveillance from the limited FISA court
review, allowed the government to create more surveillance
programs with
limited review, and immunized from lawsuits telecommunications companies
who participate in these programs. The surveillance
programs already
initiated under the PAA can continue past its expiration.

EPIC and other groups are suing the Department of Justice for
information on its warrantless surveillance program. EPIC's Freedom
of
Information Act request, filed shortly after the revelation of the
program, demands, among other things, the legal opinions describing the
legality
of the program.

In a Freedom of Information Act appeal filed on February 12, 2008, EPIC
challenged the Federal Trade Commission's failure to make public
documents relating to the
role of the Jones Day law firm in the
Google-Doubleclick merger review. The appeal follows EPIC’s original
Freedom of Information Act (FOIA) request, which sought the expedited
release of all documents concerning Jones Day's participation in the
Commission's merger
review, as well as Jones Day's involvement in other
matters regarding consumer privacy. The Commission failed to produce
the documents
within the statutorily prescribed time, and EPIC appealed.

During the Commission’s review of the Google-Doubleclick merger, Jones
Day publicly stated that it represented Doubleclick regarding
the
merger. EPIC learned that FTC Chairman Deborah Platt Majoras' husband,
John M. Majoras, is a Jones Day partner, and sought Chairman
Majoras’
recusal from the merger review. Jones Day then contradicted its
previous public statements, and deleted a web page detailing
the firm’s
representation of Doubleclick from the Jones Day web site.

In its recusal petition, EPIC noted that Chairman Majoras had previously
recused herself in other matters involving apparent conflicts
of
interest with the Jones Day firm. John Majoras is Jones Day’s "global
coordinator of competition law litigation" – the very practice
area
implicated by the Google-Doubleclick merger. However, Chairman Majoras
declined to recuse herself and continued to participate
in the
Google-Doubleclick review and voted to approve the merger without
conditions, despite privacy groups' warnings that the merger
would
threaten consumer privacy.

Before learning of Chairman Majoras' apparent conflict of interest, EPIC
urged the FTC to conduct a comprehensive review of the merger's
consumer
privacy implications. EPIC warned that the merger posed serious privacy
threats, and recommended that the Commission impose
conditions on the
merger. Numerous privacy groups and government leaders echoed EPIC’s
request that the Commission address the merger's
privacy implications.
For example, Senators Herb Kohl and Orrin Hatch, Chairman and Ranking
Member of the Senate Judiciary Committee's
Subcommittee on Antitrust,
Competition Policy and Consumer Rights, stated that "[the
Google-Doubleclick] deal raises fundamental
consumer privacy concerns
worthy of serious scrutiny."

On February 12, 2008, EPIC filed a Freedom of Information Act (FOIA)
request with the Virginia State Police. EPIC's request seeks documents
about a plan that would shroud the Virginia Fusion
Center, a database
that collects detailed information on ordinary citizens, in secrecy. The
Virginia legislature is considering a
bill that would limit Virginia's
open government and privacy statutes, as well as Virginia's common law
right of privacy, for Virginia
agencies connected to the Fusion Center.

Fusion centers are a means of bringing together information from
distributed sources for the purpose of collection, retention, analysis,
and dissemination. The Virginia Fusion Center was established in 2005
and is one of several similar entities established by state
governments
throughout the United States.

Federal guidelines state that the Fusion Center should accumulate and
retain information from a wide range of public and private sources.
Such information includes, but is not limited to: financial records;
credit reports; medical records; internet and email data; video
surveillance from retail stores and sporting facilities; data from
preschools; and welfare records. Press groups have criticized
the
proposed law, and warned that, if passed, Virginia citizens can "say
hello to Big Brother."

The Virginia Fusion Center's operations involve contact with federal
agencies, including the U.S. Department of Homeland Security
and the
U.S. Department of Justice, as well as other federal programs, including
the National Criminal Intelligence Sharing Plan
and the Criminal
Intelligence Coordinating Council. The federal government has spent at
least $380 million to support the state
Fusion Centers and other similar
entities. EPIC's FOIA request focuses on the possible role of the US
Department of Justice and the
US Department of Homeland Security in the
development of the Virginia legislation.

On February 14, 2008, Representative Edward Markey (D-Mass.) and
Representative Rahm Emanuel (D-Ill.) sponsored a bill that aims to
promote information technology (IT) while protecting patient privacy.
The Technologies for Restoring Users' Security and Trust (TRUST)
in
Health Information Act has been endorsed by several groups, including
Patient Privacy Rights, the American Association of Practicing
Psychiatrists, and
the National Association of Social Workers.

The TRUST Act will enable patients to exercise greater control over
their health information data and enjoy better security. In particular,
it allows patients to keep their medical records out of the IT systems
unless they consent to it, it requires that patients be notified
in case
of databank and record security breaches, and requires the use of
encryption and other security technology for the information
collected.
Violations can result in civil or criminal penalties.

Representative Markey has stated, "The spread of health IT holds
tremendous promise for improving patient care, reducing medical errors
and lowering costs. But this dream could quickly turn into a nightmare
for consumers without sufficient privacy and security safeguards
to
protect personal medical records from unauthorized access."

Previous health IT bills, which are still pending, did not adequately
address the privacy problems with the current regulations, according
to
patient privacy advocates. In October 2007, the Coalition for Patient
Privacy called on Congress to refrain from passing health
IT legislation
that did not protect health information privacy.

In a recently released report, the World Privacy Forum highlighted the
privacy risks associated with personal health records, which
are health
records for consumers that are often made accessible online and
comprised of data collected from a variety of sources.
Personal health
records are considered a new convenience technology but many fall
outside the purview of the Health Insurance Portability
and
Accountability Act and can threaten patient privacy.

European privacy officials determined this week that companies operating
search engines will be subject to European privacy rules
that limit the
collection, use, and disclosure of personal information. The privacy
officials who make up the Article 29 Working
Group stated that "The
protection of the users' privacy and the guaranteeing of their rights,
such as the right to access to their
data and the right to information
as provided for by the applicable data protection regulations, remain
the core issues of the ongoing
debate." Earlier this year, EPIC urged
the European Parliament to protect the privacy of search histories. A
report from the Article
29 Working Group on Search Engines and Privacy
is expected in April.

In a special report to Parliament, the Privacy Commissioner of Canada,
Jennifer Stoddart, stated that many of the national security
and
criminal operational intelligence files in Royal Canadian Mounted Police
(RCMP) databanks are kept without justification. Commissioner
Stoddart’s
office conducted an audit of exempt data banks held by federal
government departments and agencies, which was presented
in the special
report to the House of Commons in February 2008.

Commissioner Stoddart said the results were "disturbing" in the light of
a previous audit conducted 20 years ago which revealed compliance
problems that the RCMP had committed to address. The retention of secret
files can adversely affect Canadians trying to obtain an
employment
security clearance or crossing the border.

Proposal to Gather Biometrics From All Non-European Union Visitors to EU

The European Commission responsible for Justice, Liberty and Security on
February 13 released a proposal, "New tools for an integrated
European
Border Management Strategy." Among other things, the proposal recommends
the creation of a visitor entry/exit system that
would require any
non-EU visitors requiring visas "to provide their biometric data when
applying for a visa." The Commission also
proposes a "European Border
Surveillance System" be created, using satellites and unmanned aircraft
watch the borders. The proposals
would need to be approved by all EU
member states. Meanwhile, in the US, the FBI last week awarded Lockheed
Martin a $1 billion,
10-year contract to build a massive biometrics
database including iris scans and palm prints of U.S. residents. The FBI
also has
proposed an international biometrics database, where the US and
EU countries would share data. Critics have highlighted the problems
created by such massive system that would share data, including
inaccurate or fake information.

European Commission, New tools for an integrated European Border
Management Strategy (February 13, 2008):

New legislation will provide protection for people who sign up on the
national registry from telemarketers. The Do-Not-Call Improvement
Act of
2007 effectively prevents telemarketers from calling people who signed
up on the national registry. The bill was first introduced
in September
of 2007. The House passed the bill in December of 2007, and the Senate
passed the bill in February of this year. As
of last week, President
Bush signed the bill into law. The new legislation will allow consumers
to stay on the Do-Not-Call list permanently,
instead of having to renew
their listing every five years.

The Electronic Frontier Foundation (EFF) and the Asian Law Caucus (ALC)
recently filed suit against the Department of Homeland Security
(DHS)
for denying access to public records on the searching of travelers by
border agents at the U.S. borders. Travelers have complained
about being
questioned about their religious and political affiliations.
Other complaints involve border agents checking personal
items of
travelers such as their computers, business cards, handwritten notes,
and cell phone directories. The EFF and ALC are asking
DHS to
disclose its policy for searching travelers on what are First-Amendment
protected activities. In other words, the DHS should
explain why border
agents are often asking very personal questions or sifting through
personal documents at the U.S. Border. An EFF
attorney has stated that
the public has a right to know the standards for border searches.

On February 19 and 20, the Peruvian Economy of the Asia Pacific Economic
Cooperation (APEC) Forum hosted two capacity building workshops
on the
implementation of the APEC Privacy Framework, to coincide with the APEC
Data Privacy Sub-Group meeting to be held in Lima,
Peru on February 22.
The workshops brought together APEC member economies to discuss the
practical mechanisms for the international
implementation of the APEC
Privacy Framework, including the Data Privacy Pathfinder projects.

Clark Kent Ervin, the former Inspector General of the Department of
Homeland Security (DHS) describes several DHS programs, the
vulnerabilities
they are meant to address, and the vulnerabilities he
feels are unaddressed. He writes from the point of view of a security
bureaucrat.
When addressing changes allowing flyers to stand within 30
minutes of airspace in DC, he acknowledges that the change increases
convenience
and provides little insecurity. But he still includes the
note: "shouldn't we be tightening rather than loosening national
security?"
Consistent with that attitude, Ervin lists one alarming
vulnerability after another.

The real value of the book, though, is in the tales of his independent
position conflicting with the rest of the department. The Inspector
General serves as "an independent and objective inspection, audit, and
investigative body to promote effectiveness, efficiency, and
economy" in
DHS. The office is tasked with "prevent[ing] and detect[ing] fraud,
abuse, mismanagement, and waste" within the department.
DHS was not just
any other agency -- it was a brand new, and large agency, quickly
cobbled together from 22 others. It was not just
large but unwieldy --
the department CFO did not have authority over the component CFOs. Ditto
for procurement officers, and information
officers. The oversight
mission would be difficult in that environment.

From these interactions -- of the independent auditor against the
political appointees -- we see glimpses of how politics trumps policy,
and how spin rather than reform is the answer to poor performance.
Frequently, outsiders are shocked by his briefings and reports.
Insiders, however, are concerned with making bad results look good
rather than improving the results. The head of the Transportation
Security Administration interrupted a briefing on the performance of
passengers screeners to ask why the metric reported was a "failure
rate"
rather than the mathematically equivalent -- but better sounding --
"pass rate."

This attitude went to the top. After his second meeting with the
Secretary, Ervin concluded that Ridge was an "adversary, not an ally."
Following the release of a report on border vulnerabilities, secretary
Ridge asked for a meeting, and told of being "reamed" on the
Hill for
it. "Why do you keep putting out these damning reports," Ridge asked.
Notably, Tom Ridge, Director of DHS, asked Ervin:
"Are you my Inspector
General." Presumably forgetting the independent mission of the office,
Ervin was asked to delay his reports.
To make sure that his reports
matched the message from the secretary's press office. These are the
tactics of damage control, not
of reform.

Ervin's conclusion mirrors the layout of the book: a list of policy
recommendations for each type of vulnerability -- borders, air
attack,
port security, mass transit, critical infrastructure, intelligence,
preparedness and wasteful spending. However the best
conclusion is one
we are left to draw: DHS would be better served by more and more
powerful Ervins -- running not just oversight,
but actually implementing
programs.

This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of
privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance
Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive
foundation
for an exciting course in this rapidly evolving area of law.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in
over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating
to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.

This is the standard reference work covering all aspects of the Freedom
of Information Act, the Privacy Act, the Government in the Sunshine Act,
and the Federal Advisory Committee Act. The 23nd edition fully updates
the
manual that lawyers, journalists and researchers have relied on for
more than 25 years. For those who litigate open government cases
(or
need to learn how to litigate them), this is an essential reference
manual.

This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS).
This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals
for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more
involved in the
WSIS process.

The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for
students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It
includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD
Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the
Video Voyeurism Prevention Act, and the
CAN-SPAM Act.

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or
share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We
do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription
information."

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus
public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical
record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible.
Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute
online at:
http://www.epic.org/donate

Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation
of encryption and
expanding wiretapping powers.